Creating an index is typically a task for administrators, who determine where to store data. For this tutorial, you will create an index for your data, which you can remove later if you want. For best practices, see App Design Patterns - Creating Indexes on Splunk Blogs.

Enter an Index Name, and leave Search and Reporting selected for App.

You should not include index definitions with your app or build your searches to rely on the existence of a specific index. The Search and Reporting app is the default location for index definitions. If you create an index from the command line without specifying a location, the index is created under $SPLUNK_HOME/etc/apps/search/local. For more about making your app index-independent, see Use macros to avoid index dependency.

Most of the other options on the New Index dialog box are used for determining where to store data and how much to store. For details, see Indexes, indexers, and indexer clusters in the Managing Indexers and Clusters of Indexers manual.

Click Save to create your index.

Click Review, then click Submit to upload your data to the new index.

You can also create indexes from the command line as follows:

Open a command prompt and navigate to $SPLUNK_HOME/bin.

Enter the following at the command prompt, where your_index_name is the name of your index:

On Mac, enter:

./splunk add index your_index_name

On Windows, enter:

splunk add index your_index_name

Enter your Splunk username and password when prompted.

Unless you specify a different location, the index is created in $SPLUNK_HOME/etc/apps/search/local.

To remove an index, enter the following at the command prompt

On Mac, enter:

./splunk remove index your_index_name

On Windows, enter:

splunk remove index your_index_name

Recap

Now you've added some data to Splunk Enterprise that your app can access. Let's review the changes made to your app's structure.

Two files in the Search and Reporting app have been updated: $SPLUNK_HOME/etc/apps/search/local/indexes.conf and $SPLUNK_HOME/etc/apps/search/metadata/local.meta. The local.meta file now contains a stanza at the end that provides additional information about the new index, which is called "hello_index" in the following diagram:

The indexes.conf file now contains a stanza at the end that defines the new index, which is called "hello_index" below:

Because these configurations are stored outside of your app, you don't need to remove them before you package your app. The data we uploaded is stored in this index. When you're done with this tutorial, you can delete the index to remove the sample data from your Splunk instance. You can also restrict searches to this specific index using the "index=hello_world" search command to speed up searches. However, your app won't work if this index isn't present. Carefully consider the tradeoffs when restricting your app to a specific index.

Questions?

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »